Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Three simple steps to determine risk tolerance

Craig Shumard | April 17, 2013
For CISOs, in addition to deciding what policies, processes, or technology an organization should have in place, an even more significant challenge is successfully negotiating disputed risk issues. But, the process for determining risk tolerance is fraught with organizational politics, and it goes without saying that each organization's circumstance needs a customized fit. When determining a process, the most important aspects to take into account include: how an organization decides on risk tolerance, security risk assumption decision-making, and who has the authority to assume security risks.

Secondly, categorizing enterprise versus business unit risks determines who can assume this risk for the organization. The organization should ask if the security risks are contained within one business unit and if the risks impact the entire enterprise or multiple business units.

Finally, organizations should document how disputed issues are escalated and resolved so that every business unit knows how and who needs to be involved in resolving risks. Documentation includes procedures to categorize the risk(s) and delegated authority levels by function.


A formal security risk assumption process that is documented and approved by the CEO and/or the Board of Director is a critical first step to successfully resolving contested risk tolerance issues. And importantly, the right people need to have the right level of authority to assume enterprise security risks for the organization.

Every successful CISO must determine and navigate the risk tolerance level of their respective organization -- as political as it can be -- but with the knowledge that risk tolerance drives organization values.

Craig Shumard is Principal at Shumard and Associates, a strategic security consulting company specializing in helping decision makers improve and measure information security solutions. He also serves as an advisor to Tenable Network Security. Formerly the Chief Information Security Officer at CIGNA, Shumard has extensive experience in the areas of information security, privacy, and compliance.


Previous Page  1  2 

Sign up for CIO Asia eNewsletters.